This guide replaces any previous guacamole docker deployment guides on cb-net and will be kept up-to-date as new releases emerge.

Updated: 22/01/18 : New Guacamole release 0.9.14

Use this guide to deploy a fresh/ new install of guacamole on Ubuntu using Docker containers, instructions include Docker CE installation, Duo MFA configuration (if wanted, can be skipped) and Guacamole/ pre-requisite container deployment to get you up and running. Scenarios:

No Docker, and want to use Duo MFA: follows sections one, two and three

No Docker, but don’t want to use Duo MFA: follow section one and three only

Already have Docker and want to use MFA: follow sections two and three only

Already have Docker and don’t want to use MFA: follow section three only

TL:DR: when testing Docker with “–icc=false” on Ubuntu Server 16.04.3 I found that br_netfilter was required but not configured by default. Even when enabled, I found that the Docker Host physical network was not protected against container breakout. Testing with IP Masquerade disabled addressed Docker Host physical network security, however, with ICC and IP Masquerade disabled it was just as “easy” to manage the environment with “–iptables=false” and a firewall script.

I recently ran through an exercise where I was testing Docker Container Network Isolation in a lab environment – this involved reviewing the impact of disabling ICC, IP Masquerade and Docker’s interaction with IP tables itself. The scenarios I was trying to provide isolation for are as follows:

Docker Container access to Docker Containers within the same Docker network

Docker Container access to other Docker Containers in different Docker network

TL:DR : The Alexa skill may well require a manual Port Forwarding rule/ Plex Media Server configured to playback music on the Echo device itself. FLAC content (at time of writing) will randomly stop mid-song, or at the end of a song but fail to progress to the next track. MP3 content does not exhibit this issue. Either use MP3 media, or don;t expect to play music via your Echo device (for now).

Like “millions” of others over the Christmas period we obtained a generation 2 Echo device, with the (initial) sole purpose of replacing the DAB radio that struggles for reception in our kitchen. Having set the device up I started looking at what integrations there were for devices/ services we consume at home – Plex is the centre of our home Television and Music entertainment, so this seemed like an obvious candidate. On paper the Alex Plex skill enables (amongst other things):

Control of RasPlex devices, playing video/ audio content on any device (all of our Plex clients are Raspberry Pi 3’s running RasPlex)

The ability to play music via the Echo device itself

The pre-requisites are fairly simple – your Plex Media server must be configured for “remote access,” and you have to install/ configure the Alex Plex “skill.” I’ve been a long-term user of Plex on a variety of devices, so I knew remote access was in-place and working well. Sounds simple enough right…? Well, yes and no.

Enabling the skill was simple enough, but on instructing Alex to “ask Plex to play music by Incubus” I received a response stating that Alexa was “playing music by Incubus” but then silence. I tried this several times, all to no avail. RasPlex device control worked immediately, and I was able to play music without issue on these devices, instructing Alexa to “ask Plex to play music by Incubus on Kitchen TV” for example. Output from the Echo itself just would not work.

I headed to the Plex and Reddit/plex forums and sifted through a ton of similar issues. Eventually I got the damn thing playing music on the Echo itself by performing two changes:

Now I was presented with a further issue, music stopped “randomly” in the middle of a track. I could resume playback with a simple “Alexa, resume” command, but needless to say 30 – 60 seconds at a time, this got frustrating pretty quick. After a raft of testing I found that my older, MP3 based content would play through, without issue, but FLAC media would not. Again, trawling forums, I found others who had come to similar conclusions. Something appears to go wrong with transcoding media for the Echo. Workaround for now, use MP3 media or simply don’t use the Echo for music playback.

I’ve worked my way through a series of additional features for OSD Wizard (a ConfigMgr/ SCCM Task Sequence front-end/ modern HTA) this week – namely the introduction of run-time “modes” – Default, Set-Description, ExportOU, Test. With these modes you can now:

Set AD Computer Account description mid-Task Sequence using OSD Wizard/ Web Service as opposed to using a separate script with RunAs credentials

Perform a compatible OU export using the OSD Wizard script itself (and automate/ schedule this if so desired), rather than performing this manually

When I first started working with SCCM/ ConfigMgr a few years ago I ran into several issues with upstream teams trying to deploy Task Sequences to devices that were untested (i.e. there were no drivers), power was not plugged in, the user supplied hostname was duplicated in target domain etc. This generated unnecessary Incidents, and delays in getting devices out to users. I became increasingly frustrated at the lack of ConfigMgr built-in capabilities to address these issues, so I turned to vbScript to write a HTA / front-end to address these issues. vbScript is now, several years later, a dying technology, so over time I have re-written the vbScript/ HTA in PowerShell, leveraging WPF and XAML to generate a user interface.

OSD Wizard is a PowerShell script with a WPF/ XAML-based UI built for use within System Center Configuration Manager (SCCM / ConfigMgr) Task Sequences – it has two key purposes, the second of which is optional:

Reduce “human error” factors during early stages of Operating System Deployment

I ran into an issue when testing Windows 10 Enterprise 1703 in the lab, when deploying via ConfigMgr Current Branch – essentially after image deployment the machine would reboot and just show a blue screen with “just a moment.”

I came across this post which led to the solution – a modification to the Unattend.xml: